Remote Syslog for FW

How many of you push your logs out to a remote syslog server of some kind?

This is probably one of the last projects I have for my home setup, besides maybe configuring my name server to forward traffic using DOT to cloudflare. I just migrated over to Kea for DHCP and got it running in a container. That was the last big check list item I wanted to complete. Now nothing is running on the host directly. Kinda cool.

Depends on the firewall you are using. If you are wanting logs from your DHCP server from a container, this could be a challenge because you’ll need to install something like rsyslog to forward the logs to something like graylog.

Do you do this with pfsense (or any FW really) for the various services running on it?

I have never done this with pfsense before so I am not sure how much a person can tweak this on pfsense. I am more curious if this is a common practice for stuff running on the FW; ssh, dns, dhcp, vpn, etc.

From what I understand, this is a best practice type of configuration that might enable forensic analysis in the event your box gets popped. Arguably overkill for home setups but there seems to be a lot of corp admins in here. Wondering if that is done at the corporate level much?

The last time I admin’ed a FW box at that level I sort of did this for some things, but not really. Spread too thin.

I admin roughly 15 pfsense firewalls and I also have them sending logs back to graylog. Tom has a great guide to setting up graylog in docker and pfsense to talk to it.

I recently created the proper extractor for pfsense on my GitHub.

1 Like

Thanks. I will probably take a look at that out of curiosity. I don’t run pfsense at my office or house anymore, but it would still be interesting to watch.

I remember why fully deploying a syslog server was always a project I would finish later. For my little setup now I think forgoing this project is the best route. If somebody gets through all my defenses I am so hopelessly screwed anyway. And I am kidding myself if I think I would analyze the logs to try and see how they got in after the fact.